diff --git a/drivers/exec/driver.go b/drivers/exec/driver.go
index 50ba7d059..4bbd337be 100644
--- a/drivers/exec/driver.go
+++ b/drivers/exec/driver.go
@@ -297,11 +297,16 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *cstru
 		return nil, nil, fmt.Errorf("failed to create executor: %v", err)
 	}
 
+	user := cfg.User
+	if user == "" {
+		user = "nobody"
+	}
+
 	execCmd := &executor.ExecCommand{
 		Cmd:            driverConfig.Command,
 		Args:           driverConfig.Args,
 		Env:            cfg.EnvList(),
-		User:           cfg.User,
+		User:           user,
 		ResourceLimits: true,
 		Resources:      cfg.Resources,
 		TaskDir:        cfg.TaskDir().Dir,
diff --git a/drivers/java/driver.go b/drivers/java/driver.go
index b96377da7..1b561697a 100644
--- a/drivers/java/driver.go
+++ b/drivers/java/driver.go
@@ -328,11 +328,16 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *cstru
 		return nil, nil, fmt.Errorf("failed to create executor: %v", err)
 	}
 
+	user := cfg.User
+	if user == "" {
+		user = "nobody"
+	}
+
 	execCmd := &executor.ExecCommand{
 		Cmd:            absPath,
 		Args:           args,
 		Env:            cfg.EnvList(),
-		User:           cfg.User,
+		User:           user,
 		ResourceLimits: true,
 		Resources:      cfg.Resources,
 		TaskDir:        cfg.TaskDir().Dir,
diff --git a/drivers/shared/executor/executor_linux.go b/drivers/shared/executor/executor_linux.go
index 9a06e1140..5ff6085dd 100644
--- a/drivers/shared/executor/executor_linux.go
+++ b/drivers/shared/executor/executor_linux.go
@@ -506,7 +506,9 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 		"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
 	}
 
-	cfg.Devices = lconfigs.DefaultAutoCreatedDevices
+	// we bind-mount /dev to preserve pre-0.9 behavior; so avoid setting up individual devices
+	cfg.Devices = []*lconfigs.Device{}
+
 	if len(command.Devices) > 0 {
 		devs, err := cmdDevices(command.Devices)
 		if err != nil {
@@ -517,11 +519,10 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 
 	cfg.Mounts = []*lconfigs.Mount{
 		{
-			Source:      "tmpfs",
+			Source:      "/dev",
 			Destination: "/dev",
-			Device:      "tmpfs",
-			Flags:       syscall.MS_NOSUID | syscall.MS_STRICTATIME,
-			Data:        "mode=755",
+			Device:      "bind",
+			Flags:       syscall.MS_BIND | syscall.MS_RDONLY | syscall.MS_NOEXEC,
 		},
 		{
 			Source:      "proc",
@@ -529,26 +530,6 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 			Device:      "proc",
 			Flags:       defaultMountFlags,
 		},
-		{
-			Source:      "devpts",
-			Destination: "/dev/pts",
-			Device:      "devpts",
-			Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
-			Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
-		},
-		{
-			Device:      "tmpfs",
-			Source:      "shm",
-			Destination: "/dev/shm",
-			Data:        "mode=1777,size=65536k",
-			Flags:       defaultMountFlags,
-		},
-		{
-			Source:      "mqueue",
-			Destination: "/dev/mqueue",
-			Device:      "mqueue",
-			Flags:       defaultMountFlags,
-		},
 		{
 			Source:      "sysfs",
 			Destination: "/sys",